BlueTrace is an open-source application protocol that facilitates digital contact tracing of users to stem the spread of the COVID-19 pandemic.

Additionally, since temporary IDs change on a regular basis, malicious third parties cannot track users by observing log entries over time.

The DDC component operates on top of the existing Bluetooth Low Energy protocol, defining how two devices acknowledge each other's presence.[10]: p.

2  The DRSC component uses HTTPS to communicate a timeline of visits to a centralized server owned by a health authority once a user has tested positive for an infection.

The reporting server is responsible for handling initial registration, provisioning unique user identifiers, and collecting contact logs created by the DDC part of the protocol.

When the user first launches a BlueTrace app, they will be asked for their internationally formatted phone number and are assigned a static UserID.[10]: section.

Each TempID has a lifetime of 15 minutes to prevent malicious parties from performing replay attacks or tracking users over time with static unique identifiers.[10]: section.

The start and expiry date are compared with the encounter timestamp to ensure validity, and the UserID is matched to a phone number.

The PseudoID is a salted cryptographic hash of the UserID, designed to allow foreign health authorities to perform statistical analysis on contact logs and communicate about a specific user without revealing unnecessary personal information.

The ability of users to withdraw consent to the use and collection of their data at any time was an important consideration in the design of the protocol.[10]: section.

One of the largest privacy concerns raised about protocols such as BlueTrace or PEPP-PT is the usage of centralised report processing.

Protocols using this approach, such as TCN and DP-3T, have the client upload a number from which encounter tokens can be derived by individual devices.

[19] Inherent in the fact the protocol never allows the government access to contact logs, this approach has major privacy benefits.

[36] Accompanying the release, Peter Dutton, the Minister for Home Affairs, announced new legislation that would make it illegal to force anyone to hand over data from the app, even if they had registered and tested positive.